Using Guestcomputers, process description

Usage of guest computers is restricted. The device has to be registered prior to usage.
There will be no distinction between wireless and cable networking. Please keep in mind, that the MAC of your WLAN and you LAN adapter are different. Therefore, if your device is registered using the WLAN adapter it can not be used in the LAN and vice versa.
For wireless access use the SSID "HZDR".

Process description

Registration is performed directly at the device. Manual registration of guest computers by HZDR staff or administrators is not possible.

A functional web-browser accepting cookies is required to perform registration.

  1. After connecting the cable or connecting to the wireless cell, devices which are not registered or which are no longer valid, receive an IP address in a quarantine network (assignement via DHCP, DHCP servers logs the assignement between MAC and IP).
    Manipulation of the IP is useless, as access to other networks is blocked via MAC-filter (VLAN) on the switches.
    Only the registration web page (https://www.hzdr.de/guestlan, hint: this link works in the guest lan only) can be retreived, all other network operations are blocked.
  2. Registration:
    1. the web page https://www.hzdr.de/guestlan provides a login-form where the user of the guest computer may login using
      • her/his HZDR standard username and password, if staff member of HZDR
      • her/his visitor badge id *) and and a PIN, if she/he is a visitor
      • her/his DFN-Roaming ID and password, if she/he is an EDURoam user)
      The login-data are sent to the HZDR web-server using the CGI protocol. Communication is encrypted via SSL. The web-server sends these data via SQL*Net to the HZDR Oracle RDBMS (executing a stored procedure). The data are not logged!
    2. the stored procedure checks the type of the login request (username is alphanumerical → HZDR-user, numerical → HZDR visitor, contains "@" → DFN-Roaming). According to the login type, the procedure continues as follows
      • HZDR-user: the MD5-hash of the provided password ist computed and compared against the appropriate use password hash in the HZRD user database **)
      • HZDR-visitor: visitor badge ID and PIN are verified against the data in the visitor database (same instance). The PIN can be requested by anyone who is registered HZDR staff member via https://www.hzdr.de/guestpin).
      • DFN-Roaming: the procedure creates a "Radius Access Request Package" using the JRadius package. The package is sent to the HZDR radius server (communication between the database and the radius server is encrypted). The HZDR radius server checks, whether the provided realm matches the local (HZDR) domain or not. If yes, authentication is performed locally. Otherwise the request is sent to the DFN radius server, using a secured channel.
        The replied package (Accept/Reject) is sent back to the database stored procedure.
      Login-data are neither stored nor traced.
  3. If authentication was succesfull, the device, the request was sent from gets registered at the HZDR hardwaredatabase (reactivated of appropriate).
    The hardwaredatabase assigns an IP address of the guest-network to the guest device MAC and updates the DHCP server. MAC filters at the switches are updated (assigning the MAC to the guest-VLAN). The following data will be stored in the Hhardware database:
    • device MAC
    • the identity used to register the device (reference to user/visitor record resp. DFNRoaming-ID)
    • usage period (≤ usage period of user/visitor record, maximum 1 year for HZDR users and visitors, 24 hours for DFNRoaming users)
    • assigned IP address
  4. The procedure creates a web page listing the described data as well as a device reference number.
  5. The guest device has to perform a DHCP renew operation in order to obtain the guest IP data.
    Hint: with certain Microsoft Windows we observed, that a "ipconfig /renew" or deactivating/reactivating the appropriate network adapter was not sufficient. IT recommends rebooting the device after succesfull registration.
  6. After successful registration the network device has to be physically disconnect from the network (deactivate interface) for app. 5 min.
*) Only badge id's between 10000 and 20049 denote visitor badges.
**) Hint: all HZDR access of the user will be locked after 6 unsuccesfull login attempts. Reactivation must be performed manually by IT.